What Are the DoD Cloud Computing Security Assessment Requirements?
Blog Article Published: 01/26/2023
Originally published by Schellman.
Written by Jon Coffelt, Schellman.
When you compare the two tallest mountains in the world—K2 and Everest—some of the facts might surprise you. For instance, did you know that K2’s climbing route is more technical than that of the tallest mountain in the world?
In fact, in terms of the journey from foot to peak, the K2 summit is actually farther than Mount Everest. That’s why roughly only 300 people have climbed it, compared to approximately four thousand summits on Everest.
To put this in federal compliance terms, if FedRAMP is the prominent Everest, then Department of Defense (DoD) requirements are K2.
Everybody knows FedRAMP by this point, but when preparing an initial cloud service offering (CSO) for use by the DoD, you must implement controls above and beyond those baselines, including NIST SP 800-53 controls, Non-NIST based DoD requirements, and DoD General Readiness requirements. Not only that but your DoD Mission Owner (MO)—or your DoD sponsor entity—may select DoD Service Level Agreement (SLAs) and Privacy Overlay controls (NIST 800-53-based) as well DoD agency requirements or data classifications/usage applicable to your CSO.
So what does it take to “summit” what can be incredibly complex DoD requirements? As a seasoned 3PAO, we’re going to pass some insight on to you.
In this article, we’ll break down the different DoD Assessment requirements as laid out by the Defense Information Systems Agency (DISA), along with the necessary deliverables needed for review and what must happen after the initial package gets approved or if any changes are made.
Read on to understand how this all works so you can better simplify what are incredibly complex compliance requirements.
A Breakdown of Required DoD Compliance Controls
In-Scope DoD NIST SP 800-53 Controls by Impact Level
DoD requires a FedRAMP System Security Plan (SSP) and DoD SSP Addendum for all Impact Levels (IL4-IL6) CSO packages. This addendum is structured similarly to the FedRAMP SSP—it covers the descriptions of security control implementations for DoD-impacted controls (IL4, IL5, IL6 controls):
*Control CA-3(1) is not applicable at impact level 6. Moderate and High IL6 adds SC-7(14).
NOTE: DoD adds several control parameter changes to FedRAMP control baselines.
For details of controls in the above table, see Table 5-1 DoD FedRAMP+ Security Controls/Enhancements in the SRG v1r4.
NIST SP 800-53 DoD Service Level Agreement (SLAs) and Privacy Overlay Controls
The DoD SSP Addendum is also used to document control implementations for DoD Mission Owner Service Level Agreements (SLAs) and Privacy Overlay controls if in scope.
To confirm whether these are required as part of your baseline and need to be assessed, check with your DoD Mission Owner and DISA. If they are, see sections table D-2 and Appendix E, respectively, within the DoD SRG v1r4 for details.
Non-NIST-Based DoD Requirements
Here’s a high-level (i.e., not exhaustive) summary of what those address:
- Supply Chain Risk Management Plan (SCRM Plan), including anti-counterfeit plan.
- Multi-factor authentication with virtual/soft tokens (IL2 and IL4) or physical/hard tokens (IL5 – IL6) is required.
- Physical separation of IL5 tenant data from non-federal tenant data. Logical separation must exist between the federal agency and DoD tenants for IL2 and IL4.
- System components must be hardened using DISA STIGs, when available.
DoD General Readiness Requirements
The DoD SSP Addendum also covers DoD General Readiness requirements, which are outlined in section 11.1 DoD General Readiness Requirements (GR):
|GR-1||DoD PKI Authentication||
|GR-2||DoD IP addressing||
|GR-4||Management Plane Connectivity||
|GR-6||Private Connection Availability Between CSP’S/CSO’s Network and DoD Network||
|GR-7||Reliance on Internet-Based Capabilities||
|GR-8||Reliance of Internet Access||
|GR-10||Defense in Depth Architecture||
DoD Security Assessment Deliverables
Testing of what’s applicable above all rolls up into your 3PAO-developed DoD assessment package, which includes the following required deliverables to be submitted to DISA:
Security Assessment Plan Package (SAP):
- Includes control testing approach, methodology, testing scope, and penetration testing plan and/or rules of behavior.
Security Assessment Report Package (SAR):
- Includes control testing results (FedRAMP controls, aforementioned DoD IL controls and parameters, SLAs, Privacy, and GR requirements), penetration testing report, data used for the assessment (e.g., raw scan output), and a Risk Exposure Table (RET).
DISA also requires a DoD Readiness Assessment Report (RAR) to be submitted for review as part of your initial assessment. As a summary of your security control capabilities, this is used for DoD’s easier digestion of your security assessment results as a whole.
Continuous Monitoring (Ongoing Assessment) Phase
Once the package has been reviewed and approved, your CSO obtains a DISA Provisional Authorization (PA) and MO ATO, after which you enter the continuous monitoring (annual assessment) phase.
Requirements for this recurring, annual assessment are reduced and typically include:
- Core FedRAMP controls (with DoD parameters)
- About one-third of discretionary controls (one-third of the total control baseline minus core controls):
- Testing one-third of discretionary controls occurs in a rolling fashion (SLAs, Privacy included) so that all discretionary controls are tested by the end of the third annual assessment year.
- All Non-NIST based requirements must be maintained.
- DoD General Readiness Requirements are tested again during the third annual assessment.
- Note: Some DoD MOs do not require this retesting of GRs at all, while some may want them retested on an annual basis.
Your annual assessments should occur before the DISA Provisional Authorization (PA) and MO ATO expiration date—talk to your MO for guidance to ensure your latest SAR will be delivered before due.
NOTE: A RAR is not a requirement for annual continuous monitoring (ongoing assessment).
DoD Requirements for Significant Changes
Of course, information systems aren’t static and you’ll probably introduce updates at some point—including after obtaining ATO. But like FedRAMP, DISA requires full planning, documentation, visibility and awareness, and security testing regarding changes deemed to affect your security posture or alter security control implementation.
A.K.A. “significant changes,” these are defined as the following:
“a change that is likely to affect the security state of an information system.” Examples are provided as follows: “Significant changes to an information system may include for example: (i) installation of a new or upgraded operating system, middleware component, or application; (ii) modifications to system ports, protocols, or services; (iii) installation of a new or upgraded hardware platform; (iv) modifications to cryptographic modules or services; or (v) modifications to security controls. Examples of significant changes to the environment of operation may include for example: (i) moving to a new facility; (ii) adding new core missions or business functions; (iii) acquiring specific and credible threat information that the organization is being targeted by a threat source; or (iv) establishing new/modified laws, directives, policies, or regulations.”
Talk to your FedRAMP/DoD advisor, DISA representative, and DoD MO to determine if your proposed change fits into this category and if so, here’s what has to happen:
- You must complete a Security Impact Analysis (SIA) for DISA before implementing the change (typically before the change is assessed as well).
- The SIA form can be found on the NIPRNet—ask your DISA representative or DoD MO for the location
- You must give a 30-day notice before implementing significant changes so DISA has time to review the change and align the SIA.
- DISA can revoke the DoD PA if proper notice is not given or if a change is implemented without authorization.
- Specific policy guidance for significant changes can be found within the SRG Section 5.3.2 Change Control.
When submitting your Significant Change SIA, here’s a simple breakdown of where to send yours:
Submit to FedRAMP JAB if you are a:
Submit to DISA and DoD MO if you are a:
No matter where you submit the form, DISA and/or the DoD MO will ultimately have a chance to review and approve all significant changes.
Next Steps for DoD Compliance
Like climbing K2, obtaining a DoD PA or ATO is possible despite the complications and requisite intensity. But with this “base camp” of information, you can move forward with DoD compliance using your new understanding of key details.
To learn more about federal compliance, check out our other articles delve into the various complexities:
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.